As I look in the SOS index i see all my 13 splunk systems showing a restart or start command to port 8089 like this;
splunkd -p_8089_restart
OR like this;
splunkd -p_8089_start
I have a suspicion that this is the command that that was given to start splunk so if I sent restart or start then that is what the process shows. Is that right?
Also I see some process commands like this;
splunkd -h_xxx.xxx.xxx.xxx_-p_8089_restart
Why do some start with the -h switch and some do not?
Splunkd is normally started by some invocation of $SPLUNK_HOME/bin/splunk, and I am thinking that you will see a start or restart option on the command in ps depending on how it was started. I am thinking that the -h parameter you are seeing is coming from an option in a stanza in a server.conf on one of your machines. I would look at server.conf(s) on the machine implicated by the value you see for -h or use btool on the system in question (which should also be the identified host value of an example event) to identify where this config item is coming from:
./splunk cmd btool server list --debug